STATEMENT OF
COMMISSIONER MICHAEL J. COPPS,
APPROVING IN PART, DISSENTING IN PART
Re: Implementation of the Telecommunications Act of 1996; Telecommunications
Carriers Use of Customer Proprietary Network Information and Other Customer
Information; Implementation of the Non-Accounting Safeguards of Sections 271
and 272 of the Communications Act of 1934, As Amended
Few rights are so fundamental as the right to privacy in our daily lives, yet few
are under such frontal assault. Today information technologies can monitor what we do,
who we talk with, what we buy, what organizations we belong to, what political activities
we undertake, what gods we worship. We may have avoided Orwell's 1984, but the
threat of technology intrusion into our private lives is not only real – it is growing.
Today we have an opportunity to do something about it. We take a baby step; I
think we could have taken a giant stride. Certainly I support that part of the Order that
will prohibit the sale or disclosure of personal data to unaffiliated third parties unless
consumers give specific approval, the so-called "opt-in" approach, and I am pleased that
the decision does not preempt states from adopting more stringent privacy protections
than we do today. But our business is communications, and when we are given the
chance to decide how communications companies handle personal information within
themselves and their affiliates, we retreat to an entirely different "opt-out" policy
whereby the company gets an always-on green light to sell personal information about its
customer unless the customer specifically takes the initiative to tell the company it may
not do so.
Today's decision is cast as pro-consumer and "opt-in" except for what is implied
to be the limited and less problematic sale of personal information to "communications-
related affiliates," "third party agents," and "joint venture partners," where "opt-out" will
be required. But everyone should understand that this decision is neither narrow nor pro-
privacy. It does not preclude companies in all instances from selling to the highest bidder
personal and detailed information about who Americans call, when they call, and how
long they talk, as long as these companies use it for some "communications related"
purpose and have some undefined and murky affiliation, agency relationship, or
partnership with the phone company. Anyone who has looked at some of the incredibly
complex organizational charts submitted in our merger proceedings knows just how
confusing and murky these affiliations can be. In that confusion and murkiness I find
potentially serious trouble for consumer privacy.
Importance of Privacy Safeguards
Telephone carriers obtain a vast amount of information about each of us. Carriers
know not only the phone services we purchase, but also personal information such as
who we call, how often, and for how long. And in a converging communications
industry, these same companies now, or may soon, also be able to track what Internet
sites we visit, who we e-mail, what cable or satellite television programs we watch, what
wireless phone calls we place, and even our location as we use our cell phone.
Companies can combine this data with other information that they buy from other
sources, such as financial data, credit histories, travel habits, and any of the myriad
invasive databases that exist in our digital world, to create a profile on each of us.
Companies can use this information, known as CPNI, for a variety of purposes.
They rely heavily on this information for marketing. Sometimes these marketing
practices are merely annoying, such as telemarketing calls and junk mail. But when this
marketing is based on in-depth personal information, it can become dangerous. CPNI
could potentially be used to allow a company to market healthcare services to people who
call certain doctors or specialists; insurance companies to know who calls AIDS hotlines;
fundraisers to identify an individual's political affiliation based on who calls the offices
of candidates or political parties; or landlords to monitor the behavior of their tenants.
When the stakes for misuse of our personal information are so high the Commission
should be extraordinarily vigilant.
Section 222 and the FCC Opt-in Decision
Congress recognized this and instructed the Commission to protect the privacy of
telephone consumers in section 222 of the Telecommunications Act. Congress
recognized that information about individual communications use requires special
privacy safeguards. In particular, section 222 limits the use and disclosure of personal
customer information unless a carrier first obtains the "approval of the customer."
In 1998, the Commission adopted rules to implement Congress' privacy directive.
The Commission correctly understood Congress's insistence on a company acquiring the
"approval of the customer" to require express approval, also known as "opt-in," for use
and disclosure of this sensitive personal information. "Approval" is clearly an active
rather than a passive requirement. "Opt-out," which would require a customer to take
affirmative action to protect his or her personal information, is a failure to object, and not
"approval." These concepts are founded on fundamentally different premises. "Opt-out"
strikes me as based on the notion that the company owns the information and can use that
information as it chooses unless there is objection from the consumer. "Opt-in" is
premised on the consumer being in control of this information and grants to each of us
the ability to authorize a company to share it with somebody else should we so choose.
On policy grounds, the Commission explained why Congress's insistence on
approval had been correct, by determining that "even assuming that an opt-out approach
can be appropriate for less sensitive customer information, such an approach would not
be appropriate for the disclosure of personal CPNI." The Commission concluded that an
express approval requirement was necessary for both privacy and competitive concerns.
It reasoned that "an express approval requirement provides superior protection for
privacy interests because, unlike under an opt-out approach, when customers must
affirmatively act before their CPNI is used or disclosed, the confidentiality of CPNI is
preserved until the customer is actually informed of its statutory protections. This
ensures that customers' privacy rights are protected against unknowing and unintended
CPNI disclosure." In addition, the Commission recognized that the limitations were
designed to eliminate restraints on competition, by "limiting the ability of incumbent
carriers to leverage their control over monopoly-derived CPNI into emerging
telecommunications markets."
On appeal, the Tenth Circuit struck down the express approval requirement
because the Commission had not built an adequate record to demonstrate that the
regulations would materially and directly alleviate privacy harms and that the regulations
were narrowly tailored so as to avoid a First Amendment violation. In particular, the
court determined that the Commission had failed adequately to consider the less
restrictive "opt-out" alternative. Importantly, the court did not hold that the express
approval requirement could not be justified or that opt-out was the only way to read
section 222. It held only that the Commission had failed to adequately justify its
decision. So I think we are being overly cautious here.
The Legal and Policy Inadequacy of Today's Order
In response to the Tenth Circuit's decision, the Commission today requires
approval only for disclosure to third parties and non-communications-related affiliates.
Contrary to law, and without policy justification, the Commission allows mere notice and
"opt-out," an absence of complaint rather than the statutorily required approval, for a
company to use, disclose, and permit access to sensitive personal information within a
company, to "communications-related affiliates," to "third party agents," and to "joint
venture partners." These activities represent the most common of all uses of CPNI.
The majority does not adequately narrow the definition of "communications
related," "affiliates," "third party agents," or "joint venture partners." Without careful
definitions the restrictions leave dangerous loopholes. I appreciate the majority's
willingness to respond to some of my concerns by stating that a carrier cannot sell such
information to a pure content provider such as the operator of a Web site, a telemarketer,
or a junk e-mailer. The definitions, however, remain unreasonably imprecise. According
to my understanding, a carrier could still market personal consumer information to, for
example, an ISP who also happens to provide content over its Internet system. Thus a
telephone company could, without the permission of its customers, sell CPNI to any
company that owns an ISP. I say this is my understanding because, even as late as this
morning, the definitions and explanations are in flux. Trying to administer a regime
whose exact parameters we, its designers, cannot pin-point creates problems. That's not
good for privacy.
The majority seems to believe that they can go no further than "opt-out" for fear
of litigation. We can be certain there will be challenges to this order no matter what
decision is made. The fear of litigation should not unduly constrain us – we will be in
court on this matter. I prefer to go there with our best foot forward, with a Commission
decision that is more securely grounded in statute and one that accomplishes the will of
Congress.
Let us be clear: the court did not require "opt-out" nor did it invalidate "opt-in."
It demanded better justification for what the previous Commission did. I do not wish to
minimize the showing we would have to make to the court, but neither do I want it to
become an obstacle for moving proactively ahead. My understanding is that to satisfy
court review, the Commission would need to provide more empirical explanation and
justification for the government's asserted interest; to demonstrate that "opt-in"
materially advances that interest; and that "opt-in" is narrowly tailored and balanced as to
its costs and benefits. I believe the Commission can effectively and convincingly meet
these tests. There is an abundance of contemporary empirical data, including consumer
surveys demonstrating consumer preferences, a state referendum in North Dakota with
easy-to-understand results, and at least one company's unhappy experiences with an "opt-
out" program. There is new case-law altogether relevant to and supportive of "opt-in."
And, as explained below, "opt-in" is both narrowly tailored and balanced.
We must always be at pains to ensure that our decisions do not violate the First
Amendment. Part of our responsibility in this instance involves adequately explaining
how our rule is necessary to protect privacy, as well as investigating whether less
restrictive alternatives exist. Some, including the dissenting judge in U S WEST, take
issue with whether the Commission's previous order implicated constitutionally protected
"speech"; whether it violated the First Amendment; and whether the Commission's
statutory construction was reasonable and thereby entitled to deference. But, even under
the test applied by the Tenth Circuit, I believe that express approval is justified,
necessary, and most clearly comports with the statute.
Section 222 limits the use of sensitive individual information without "approval
of the customer." I agree with the Commission's previous order that express approval "is
guided by the natural, common sense understanding of the term 'approval,' which we
believe generally connotes an informed and deliberate response." As the Commission
pointed out, it is "difficult to construe a customer's failure to respond to a notice as
constituting an informed approval of its contents."
Since the Tenth Circuit's decision, other courts have addressed express approval
provisions and, using the same analysis, found them not to infringe upon First
Amendment rights. In Trans Union Corp. v. FTC, the DC Circuit held that "[a]lthough
the opt-in scheme may limit more Trans Union speech than would the opt-out scheme the
company prefers, intermediate scrutiny does not obligate courts to invalidate a 'remedial
scheme because some alternative solution is marginally less intrusive on a speaker's First
Amendment interests.'"
We are left with the issue whether "opt-in" is narrowly tailored and balanced. To
decide this question, we must examine the prongs of the test applied by the Tenth Circuit.
If the speech concerns lawful activity, we must determine whether there is a substantial
state interest in regulating the speech, whether the regulation materially and directly
advances that interest, and whether the regulation is no more extensive than necessary to
alleviate the harm.
The majority agrees that the first two prongs are met for both "opt-out" and "opt-
in." Thus, the relevant question at issue is whether "opt-in" is narrowly drawn or
whether some lesser alternative such as "opt-out" would serve the government's interest.
We have seen in several contexts that "opt-out" does not adequately protect consumers'
privacy interests. As today's order details, significant concerns have been raised about
the effectiveness of "opt-out" requirements in the banking and financial sectors.
Similarly, in the telecommunications sector, we have seen one example after another of
instances where notice and "opt-out" have been ineffective in ensuring "that customers
maintain control over carrier use of sensitive CPNI, and that those that wish to limit the
use and dissemination of their information will know how, and be able to do so."
Attorneys General from 39 states strongly advocate an express approval requirement
because "opt-out" has proven so ineffective. A number of these Attorneys General have
expressed concern about "opt-out" notices from telecommunications companies that are
unclear and confusing and may therefore have been ignored or misunderstood by
consumers.
Even were I to approve the use of "opt-out," I would dissent from the
Commission's rules here because these rules do not adequately address the problem at
hand. Indeed, to develop an effective "opt-out" mechanism would require more detailed
rules to ensure that consumers have a user-friendly, understandable and effective
mechanism. Because companies view personal data as so valuable, they do not have an
incentive to offer opt-out mechanisms that make it easy for consumers to choose to
protect their privacy. Many companies simply do not want customers to take advantage
of "opting-out." So companies may reduce the likelihood of customers "opting-out" by
providing notices that are lengthy, vague, obscured by other information or confusing.
Consumers may not understand the extent of the use of the information, for example, if
the company buries the information about sharing with affiliates and joint venture
partners in the middle of a long disclosure form.
"Opt-in," on the other hand, provides an incentive to companies to ensure that
customers read, understand, and respond to a notice. I fear that today's decision –
adopting "opt-out" and failure to provide adequate rules -- will lead inevitably to
consumer abuses in the marketplace.
Today's decision puts the burden on the competitive marketplace to constrain use
of personal information, arguing that carriers will not want to lose their customers due to
misuse of information. But it is this same competitive marketplace that will put added
pressure on carriers to create customer profiles to enhance their marketing efforts. We've
all seen in recent weeks what havoc the pressures of the marketplace can cause. Threats
to privacy will become even greater as data processing technology grows increasingly
sophisticated and carriers become even more integrated through increasing consolidation.
Moreover, "[e]ven if market forces provide carriers with incentives not to abuse their
customer's privacy rights . . . these forces would not protect competitors' concerns that
CPNI could be used successfully to leverage former monopoly power into other
markets."
In light of the grave privacy and competition harms that this order could cause, I
respectfully dissent from those parts of this decision that allow carriers to use sensitive
personal information without first obtaining the express approval of the customer.
47 U.S.C. § 222.
Implementation of the Telecommunications Act of 1996; Telecommunications Carriers Use of Customer
Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting
Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, Second Report and
Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061, 8133 (1998) (CPNI Order).
Id.
Id. at 8145.
Id. at 8130; see also U.S. WEST, Inc. v. FCC, 182 F.3d 1224, 1241 (10th Cir. 1999) (Briscoe, J.,
dissenting) ("Although Congress did not specifically define the term 'approval' in the statute, its ordinary
and natural meaning clearly 'implies knowledge and exercise of discretion after knowledge.'")
CPNI Order at 8131.
Trans Union Corp. v. FTC, 267 F.3d 1138, 1143 (D.C. Cir. 2001)
CPNI Order at 8138.
Id. at 8134.
6